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^ ■ Abstract. In this paper we consider the problem of testing whether two finite groups 

^ ' are isomorphic. Whereas the case where both groups are abelian is well understood 

5^ \ and can be solved efficiently, very little is known about the complexity of isomor- 

, phism testing for nonabelian groups. Le Gall has constructed an efficient classical 

^"5 ■ algorithm for a class of groups corresponding to one of the most natural ways of con- 

ly-^ ' structing nonabelian groups from abelian groups: the groups that are extensions of 

\ an abelian group A by a cyclic group Z„, with the order of A coprime with m. More 

I— I . precisely, the running time of that algorithm is almost linear in the order of the input 

^ ■ groups. In this paper we present a quantum algorithm solving the same problem in 

Qh' time polynomial in the logarithm of the order of the input groups. This algorithm 

J \ works in the black-box setting and is the first quantum algorithm solving instances of 

, the nonabelian group isomorphism problem exponentially faster than the best known 

■ classical algorithms. 

^3 : 

' — ' ■ 1 Introduction 

^ , Background Testing group isomorphism (the problem asking to decide, for two given finite 

00 \ groups G and H, whether there exists an isomorphism between G and H) is a fundamental prob- 

O ■ lem in computational group theory but little is known about its complexity. It is known that the 

Q . group isomorphism problem (for groups given by their multiplication tables) reduces to the graph 

• ' isomorphism problem fTT\, and thus the group isomorphism problem is in the complexity class 

Q ■ NPDcoAM (since the graph isomorphism problem is in this class |i2J). Miller [27 1 has developed 

O . a general technique to check group isomorphism in time C?(?i'°s"+'^(^)), where n denotes the size 

. . I of the input groups and Lipton, Snyder and Zalcstein ll25ll have given an algorithm working in 

' 0(log^?i) space. However, no polynomial time algorithm is known for the general case of this 

^ ■ problem. 

Another line of research is the design of algorithms solving the group isomorphism problem for 
particular classes of groups. For abelian groups polynomial-time algorithms follow directly from 
efficient algorithms for the computation of the Smith normal form of integer matrices lITOl ITSl . 
More efficient methods have been given by Vikas |33 | and Kavitha [20] for abelian groups given 
by their multiplication tables, and fast parallel algorithms have been constructed by McKenzie 
and Cook ||26]| for abelian permutation groups. The current fastest algorithm solving the abelian 
group isomorphism problem for groups given as black-boxes has been developed by Buchmann 
and Schmidt [7| and works in time 0(n'/^(log?i)'^(^'). However, as far as nonabelian groups are 
concerned, very little is known. For solvable groups Arvind and Toran [ 1] have shown that the 
group isomorphism problem is in NP n coNP under certain complexity assumptions but, until 
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recently, the only polynomial-time algorithms testing isomorphism of nontrivial classes of non- 
abelian groups were a result by Garzon and Zalcstein Iil5,l . which holds for a very restricted class, 
and a body of works initiated by Cooperman et al. lITTIl on simple groups, which will be discussed 
later. 

Very recently, Le Gall f23) proposed an efficient classical algorithm solving the group iso- 
morphism problem over another class of nonabelian groups. Since for abelian groups the group 
isomorphism problem can be solved efficiently, that work focused on one of the most natural next 
targets: cyclic extensions of abelian groups. Loosely speaking such extensions are constructed 
by taking an abelian group A and adding one element y that, in general, does not commute with 
the elements in A. More formally the class of groups considered in [i23il . denoted by J?^, was the 
following. 

Definition 1.1. Let G be a finite group. The group G is said to be in the class 5^ if there exists 
a normal abelian subgroup A in G and an element y € G of order coprime with |A| such that 
G = {A,y). 

In technical words G is an extension of an abelian group A by a cyclic group Zm with gcd{\A \,m) = 
1. This class of groups includes all the abelian groups and many non-abelian groups too, as 
discussed in details in [23]. For example, for A = Z3 and m = 4, there are exactly 9 isomorphism 
classes in (1 class of abelian groups and 8 classes of nonabelian groups). Moreover, the class 
^ includes several groups that have been the target of quantum algorithms, as discussed later. The 
main result in |[23l was the following theorem. 

Theorem 1.1 ( II23II ). There exists a deterministic algorithm checking whether two groups G and 
H in the class 5^ (given as black-box groups) are isomorphic and, if this is the case, computing an 
isomorphism from G to H. Its running time has for upper bound n^^"^^\ where n = min{\G\, \H\). 

Statement of our results In the present paper, we focus on quantum algorithms solving the 
group isomorphism problem in the black-box setting. Cheung and Mosca 191 have shown how to 
compute the decomposition of an abelian group into a direct product of cyclic subgroups in time 
polynomial in the logarithm of its order on a quantum computer, and thus how to solve the abelian 
group isomorphism problem in time polynomial in log n in the black-box model. (Notice that their 
algorithm is actually a generahzation of Shor's algorithm lOTll . which can be seen as solving the 
group isomorphism problem over cyclic groups.) This then gives an exponential speed-up with 
respect to the best known classical algorithms for the same task. One can naturally ask whether 
a similar speed-up can be obtained for classes of nonabelian groups. In this paper, we prove that 
this is the case. Our main result is the following theorem. 

Theorem 1.2. There exists a quantum algorithm checking with high probability whether two 
groups G and H in the class .5^ given as black-box groups are isomorphic and, if this is the 
case, computing an isomorphism from G to H. Its running time is polynomial in logn, where 
n = min(\G\, \H\). 

To our knowledge, this is the first quantum algorithm solving nonabelian instances of the group 
isomorphism problem exponentially faster than the best known classical algorithms. Our algo- 
rithm relies on several new quantum reductions to instances of the so-called abelian Hidden Sub- 
group Problem, a problem that can be solved efficiently on a quantum computer. Our result can 
then be seen as an extension of the polynomial time library of computational tasks which can be 
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accomplished using Shor's factoring and discrete logarithm algorithms fSl ], and further quantum 
algorithms for abelian groups. We also mention that groups in the class y appear at several occa- 
sions in the quantum computation literature, mostly connected to the Hidden Subgroup Problem 
over semidirect product groups ||6l[T3j[T6l|28l. Our techniques may have applications in the design 
of further quantum algorithms for this problem, or for other similar group-theoretic tasks. 

Overview of our algorithm Our quantum algorithm follows the same line as the classical algo- 
rithm in |[23l , but the two main technical parts are both significantly improved and modified. 

Since a group G in the class 5^ may in general be written as the extension of an abelian group 
Ai by a cyclic group Z^, and as the extension of an abelian group A2 by a cyclic group Z^^ 
with Ai ^ A2 and m\ ^ nij, we use, as in L23.I, the concept of a standard decomposition of G, 
which is an invariant for the groups in the class =5^ in the sense that two isomorphic groups have 
similar standard decompositions (but the converse is false). A method for computing efficiently 
standard decompositions in the black-box model was one of the main contributions of [23], where 
the time complexity of this step was 0{n^^"^^^) due to the fact that the procedure proposed had 
to try, in the worst case, for each generator g of G, all the divisors of \g\. Instead, in the present 
work we propose a different procedure for this task (Section |3]), which can be implemented in 
time polynomial in log « on a quantum computer, based on careful reductions to group-theoretic 
problems for which known efficient quantum algorithms are known: order finding, decomposing 
abelian groups and constructive membership in abelian groups. 

Knowing standard decompositions of G and H allows us to consider only the case where H 
and G are two extensions of the same abelian group A by the same cyclic group Z,„ (Proposition 
16.11 ). Two matrices Mi and M2 in the group GL(r,F) of invertible matrices of size r x r over some 
well-chosen finite field F can then be associated to the action of on A in the groups G and 
H respectively. The second main technical contribution of 1231 showed that, loosely speaking, 
testing isomorphism of G and H then reduces (when the order of A is coprime with ni) to checking 
whether there exists an integer k G {I, . . . ,m} such that M\ and M| are conjugate in GL{r,¥) (a 
precise version of this statement is given in Proposition 16.21 of the present paper). The strategy 
adopted in [23] to solve this problem had time complexity close to n in the worst case (basically, 
all the integers A: in {1, . . . ,m} were checked). In the present paper, we give a poly (log «) time 
quantum algorithm for this problem. More generally, we show in Section |5] that the problem of 
testing, for any two matrices Mi and M2 in GL{r,¥) where r is any positive integer and F is any 
finite field, whether there exists a positive integer k such that Mi and are conjugate in the 
group GL(r, F) reduces to solving an instance of a problem we call Set DISCRETE LOGARITHM. 
This quantum reduction is efficient in that it can be implemented in time polynomial in both r and 
log |F|, and works by considering field extensions of F and matrix invariants of Mi and M2. 

Loosely speaking, the problem Set Discrete Logarithm asks, given two sets {xi,... ,Xv} 
and {yi,. ■■ ,yv} of elements in F, to compute an integer k such that {y\, . . . , jj} = {xi,. .. ,Xv}, 
if such an integer exists. This computational problem is a generalization of the standard discrete 
logarithm problem (which is basically the case v = 1) but appears to be much more challenging^] 
The quantum algorithm we propose (in SectionlH) works in time polynomial in v and log |F|, and 

'To illustrate this point, let us consider the following simple strategy: for each 7 e {1, ... ,v}, try to find some k 
such that y J = xj using the quantum algorithm for the standard discrete logarithm problem by Shor [ 3 1 1 , and then check 
whether {.Vj , . ..,)'*} = {xi ,...,Xy}. The problem here is that a k such that -y^ = Xj will be only defined modulo |, and 
it may be the case that {.y* , . .. ,yy} ^ {xi , . . . ,jf,i} but {y* , . . . ,yj } = {xj, . . . ,x,,} for some k' satisfying k' = k mod |yi |. 
Testing all these fc''s can take exponential time. 
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relies on a reduction to several instances of tiie abelian Hidden Subgroup Problem. Our solution to 
the problem Set Discrete Logarithm is then an extension of the computational tasks which 
can be solved efficiently using known quantum algorithms for abelian groups. 

Other related works To our knowledge, the only other work on polylogarithmic time non- 
abelian group isomorphism testing in the back-box setting is a body of results, initiated by Coop- 
erman et al. [11], focusing on identifying simple groups. Remember that a simple group is a 
group that has no nontrivial normal subgroup. A celebrated result in group theory classifies all the 
simple finite groups into 26 sporadic groups and a few numbers of infinite classes in which each 
group has a label of some prescribed form. A natural question that arises is, given a black-box 
group guaranteed to be simple, how to compute this label, i.e., how to identify this group? It is 
known that, based on the mathematical properties of the simple groups, it is possible to do this 
(classically) in polylogarithmic time whenever the input is guaranteed to be a so-called classical 
group over a field of known characteristic. We refer to the book by Kantor and Seress [ 19] and 
references therein for an extensive treatment of this subject. 

2 Preliminaries 

2.1 Group theory and standard decompositions 

We assume that the reader is familiar with the basic notions of group theory and state without 
proofs definitions and properties of groups we will use in this paper. 

For any positive integer m, we denote by the additive cyclic group of integers {0, . . . , m — 1 }, 
and by Z*, the multiplicative group of integers in{l,...,m — 1} coprime with m. 

Let G be a finite group. For any subgroup H and any normal subgroup of G we denote by 
HK the subgroup {hk \ h £ H,k ^ K} = {kh \ h £ H,k £ K}. Given a set S of elements of G, the 
subgroup generated by the elements of S is written (S). We say that two elements and g2 of G 
are conjugate in G if there exists an element y £ G such that g2 = ygiy^^- For any two elements 
g,h £ G we denote by [g,h] the commutator of g and h, i.e., [g,h] = ghg^^h^^. More generally, 
given two subsets Si and ^2 of G, we define [^ijSa] = ([■S'1,52] | £ Si,S2 £ ^a). The commutator 
subgroup of G is defined as G' = [G, G]. The derived series of G is defined recursively as G^^^ = G 
and G''+^' = (G^'^y. The group G is said to be solvable if there exists some integer k such that 
gW = {e}. Given two groups Gi and G2, a map : Gi — ?> G2 is a homomorphism from Gi to G2 
if, for any two elements g and g' in Gi , the relation {gg') = (g) {g') holds. We say that Gi and 
G2 are isomorphic if there exists a one-one homomorphism from Gi to G2, and we write Gi = G2. 

Given any finite group G, we denote by |G| its order and, given any element g in G, we denote 
by \g\ the order of g in G. For any prime p, we say that a group is a /j-group if its order is a power 
of p. If |G| = p\' ■ ..p"/ for distinct prime numbers pi, then for each / G {1, . . . ,r} the group G 
has a subgroup of order pi' . Such a subgroup is called a Sylow /7;-subgroup of G. Moreover, if 
G is additionally abelian, then each Sylow /7,-group is unique and G is the direct product of its 
Sylow subgroups. Abelian /7-groups have remarkably simple structures: any abelian /7-group is 
isomorphic to a direct product of cyclic /7-groups Z^/, x • • • x Z^/, for some positive integer s and 
positive integers fi < ■ ■ ■ < fs, and this decomposition is unique. We say that a set {gi , . . . of 
t elements of an abelian group G is a basis of G if G = (gi) x • • • x (g,) and the order of each g; is 
a prime power. 

For a given group G in the class in general many different decompositions as an extension of 
an abelian group by a cyclic group exist. For example, the abelian group Zg = {xi,X2 \xf =X2 = 
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[;ici,;iC2] = e) can be written as {x\) x {X2), {X2) x or {x\,X2) x {e}. That is why we introduce 
the notion of a standard decomposition, as it was done in [23] . 

Definition 2.1. Let G be a finite group in the class S^. For any positive integer m denote by Si^ 
the set (possibly empty) of pairs (A,B) such that the following three conditions hold: (i) A is a 
normal abelian subgroup of G of order coprime with m; and ( ii) B is a cyclic subgroup of G of 
order m; and ( Hi) G = AB. Let y{G) be the smallest positive integer such that &q^^ 7^ 0. A 
standard decomposition of G is an element of &J^^\ 

2.2 Black-box groups and the abelian Hidden Subgroup Problem 

In this paper we work in the black-box model, first introduced (in the classical setting) by 
Babai and Szemeredi El. A black-box group is a representation of a group G where elements are 
represented by strings, and an oracle is available to perform group operations. To be able to take 
advantage of the power of quantum computation when dealing with black-box groups, the oracles 
performing group operations have to be able to deal with quantum superpositions. These quantum 
black-box groups have been first studied by Ivanyos et al. iflTIl and Watrous 041 [35l . and have 
become the standard model for studying group-theoretic problems in the quantum setting. 

More precisely, a quantum black-box group is a representation of a group where elements are 
represented by strings (of the same length, supposed to be logarithmic in the order of the group). 
We assume the usual unique encoding hypothesis, i.e., each element of the group is encoded by 
a unique string, which is crucial for technical reasons (without it, most quantum algorithms do 
not work). A quantum oracle Vg is available, such that Vcdg) \h)) = \g) \gh) for any g and hmG 
(using strings to represent the group elements), and behaving in an arbitrary way on other inputsU 
We say that a group G is input as a black-box if a set of strings representing generators {g\ , . . .,gs} 
of G with s = 0(log |G|) is given as input, and queries to the oracle can be done at cost 1. The 
hypothesis on s is natural since every group G has a generating set of size 0(log \G\), and enables 
us to make the exposition of our results easier. Also notice that a set of generators of any size can 
be converted efficiently into a set of generators of size 0(log |G|) if randomization is allowed ||3l. 

Any efficient quantum black-box algorithm gives rise to an efficient concrete quantum algo- 
rithm whenever the oracle operations can be replaced by efficient procedures. Especially, when 
a mathematical expression of the generators input to the algorithm is known, performing group 
operations can be done directly on the elements in polynomial time (in log|G|) for many natu- 
ral groups, including permutation groups and matrix groups. This is why the black-box model 
is one of the most general settings to work with when considering group-theoretic problems, and 
especially when designing sublinear-time algorithms for such problems. 

Quantum algorithms are very efficient for solving computational problems over abelian groups. 
In the following theorem, we describe the main results we will need in this paper. 

Theorem 2.1 (ll9l ll7ll3T]| ). There exists quantum algorithms solving, in time polynomial in log 
the following computational tasks with probability at least 1 — \/poly{\G\): 

(i) Given a group G given as a black-box (with unique encoding) and any element g (z G, 
compute the order of g in G. 

quantum oracle computing the inverse of elements is not necessary since tiie inverse of an element can be 
computed if one knows its order — this latter task can be done efficiently as stated in Theorem l2.1l 
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(ii) Given an abelian group G given as a black-box (with unique encoding), compute a basis 
{gh---,gs) ofG. 

(Hi) Given an abelian group G given as a black-box (with unique encoding), a basis (gi , . . . ,gs) 
ofG, and any g & G, compute a decomposition of g over (gi , . . . ,gs), ie., integers ui,. . . ,Us 
such that g = g"' • • -g"'. 

More precisely, Task (i) can be solved using a black-box version of Shor's algorithm f3\\, Task 
(ii) can be solved using Cheung and Mosca's algorithm [9|, and Task (iii) can be solved using 
the quantum algorithm by Ivanyos et al. 1 17 1. The discrete logarithm problem is the special case 
of task (iii) above when G is a cyclic group. Moreover, since factoring an integer reduces to 
computing the order of elements in a cyclic group, the efficient solution to Task (iii) implies an 
efficient solution for the integer factoring problem (we refer to Shor's paper [.3Til for a precise 
description of this reduction). 

Actually, all the tasks in Theorem 12.11 can be seen as black-boxes versions of instances of the 
so-called Hidden Subgroup Problem (HSP) over abelian groups. We now recall the definition of 
this problem, since we will need it in Section |5l Let G be a group, Kbe, a. subgroup of G, and X 
be a finite set. A function / : G — )• X is said to be A'-periodic if / is constant on each left coset of 
K, with distinct value on distinct cosets. Given as inputs (i) a group G given as a set of generators, 
and (ii) a function / given as an oracle, which is i^-periodic for an unknown subgroup K of G, the 
Hidden Subgroup Problem asks to output a set of generators for K. The abelian Hidden Subgroup 
Problem is the special case where the underlying group G is abelian. It is known that the abelian 
HSP can be solved in time polynomial in log |G| liiZll . even if G is given as a black-box group with 
unique encoding Iil7n29il . 

2.3 Invariant factors and elementary divisors of a matrix 

In this subsection we review the notions of invariant factors and elementary divisors of a matrix. 
These are standard results, and we refer to any textbook on algebra (e.g., | IT]) for proofs and more 
details. In this subsection F denotes a finite field, and GL{r,¥) denotes the group of invertible 
matrices of size r x r over F for some positive integer r. 

Let a{x) = x*^ + bj^^ix'^^^ + . . . + b[X + bo be any monic polynomial in F[x]. The companion 
matrix of a(x), denoted by Q,(v) is the k x k matrix with I's down the first subdiagonal, —bo, 
—bi,. . . , —bj^^i down the last column and zero elsewhere. For example, the companion matrix of 
x"^ + bsx^ + b2X^ + bix + bo is the matrix 

/ -bo\ 

\ -bi 

1 ■ 
V 1 -b3 J 

Let M be a matrix in GL(r, F) . Then it is known that there exists a unique list (a i (x) , . . . , a^ (x) ) of 
monic polynomials in F[x], with each polynomial a,(x) dividing a,+i(x) for each / € {1, ... ,5 — 1}, 
such thatM is similar to the block diagonal matrix diag{Cai(x)^ ■ ■ • 7Qj(.v))- This list of polynomials 
is called the invariant factors of M, and this block diagonal matrix is called the rational normal 
form of the matrix M and is unique. In particular the polynomial as{x) is the minimal monic 
polynomial of M, i.e., the (unique) monic polynomial of smallest degree in F[x] such that as{M) = 
0. It is known that matrices are conjugate in GL(r,F) if and only if they have the same invariant 
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factors (or equivalently if they have the same rational normal form). Moreover, these invariant are 
the same if M is seen as a matrix over a field extension K of F, i.e., two matrices in GL{r,¥) are 
similar in GL{r, ¥) if and only if they are similar in GL(r, K). 

Let IfC be a field extension of F that splits the minimal polynomial as{x) of M, i.e., a,v(x) = 
(x - Ai ■ • • (x - Xtf' where the Ai's are distinct elements of IfC and the Zj, 's are their multiplicities. 
Eachinvariant factor a; (x) of Mean then be written as a,(x) = {x — XiY'^ ■ ■ ■ {x — XtY", where each 
Cij is a nonnegative integer in {0, ... , bj}. Then the set of elementary divisors of M is the set with 
possible repetitions 

{{x-XjY'' I / G {1, . . .,s},j G {1, . . . such that 7^ 0}. 

The set of elementary divisors associated to M is unique, and it is known that two matrices are 
similar in GL(r,F) if and only if they have the same set of elementary divisors over K, when K is 
an extension field of F splitting both their minimal polynomials. For example, suppose that r = 4, 
s = 2, a2(x) = (x — — ^2)^, and ai{x) = (x — Ai) for distinct elements Ai and A2 in K. Then 
the set of elementary divisors is { (x — Ai ) , (x — Ai ) , (x — Ai)^}. 

The elementary divisors of M are closely connected to the so-called Jordan normal form of M. 
Let c be a nonnegative integer and A be an element in K. The Jordan matrix of size c associated 
to A, denoted by 7(A,c), is the c x c matrix with A along the main diagonal and 1 along the first 
superdiagonal. For example: 



7(A,4) 



/ A 1 \ 

A 1 

A 1 

V A / 



It is easy to check that the minimal polynomial of /(A,c) is (x — A)*^. In particular, this shows that 
the set of elementary divisors of /(A,c) is {(x — A)'^}. 

Suppose that the set of elementary divisors of a matrix M (in GL{r,¥), but seen as a matrix in 
GL{r,K) where K splits its minimal polynomial) is {(x — Ayt)'^* \ k & {1, • • • i^}}; where the A^'s 
may not be distinct (and necessarily r = Xli=i di). Then it is known that M is similar over GL{r, K) 
to the block diagonal matrix 

diag{J{Xi ,di),..., J{Xe,di)) . 

This block diagonal matrix is called the Jordan normal form of M and is unique up to the ordering 
of the A/'s. For example the Jordan normal form for the example considered above with the set of 
elementary divisors { (x — Ai ) , (x — Ai ) , (x — Ai)^} is 



^//ag(7(Ai,l),7(Ai,l),7(A2,2)) 



/ Ai \ 

Ai 

A2 1 

V A2 y 



3 Computing a Standard Decomposition 

In this section we present a quantum algorithm computing a standard decomposition of any 
group in the class ,9^ in time polynomial in the logarithm of the order of the group. 
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3.1 Description of the algorithm 

The precise description of the algorithm, which we denote Procedure DECOMPOSE, is given in 
metacode in Figure [T] Further descriptions on how each step is implemented follow. 



Procedure DECOMPOSE 

INPUT: a set of generators {gi , . . . ,gs} of a group Gin y with s = C?(log \G\). 
OUTPUT: a pair {U, v) where U is a subset of G and v G G. 

1 compute a set of generators {g[ , . . .,gf} of the derived subgroup G' with t = 0{\og \G\); 

2 compute K = lcm{\gi\,...,\g,\); 

3 factorize K and write K" = pj' • • • p''/ where the prime numbers are distinct; 

4 u^{g[,...,g',y,V^0;^^0; 

5 for / = 1 to r 



6 do 

7 r,- ^ 0; 

8 for 7 = 1 to 5 do T; ^ T,- U {g J^^' " } ; 

9 if [r,-, G'] = e and gcd{pi, ) / 1 then ^ U T,-; 

10 if [r;,G'] = e and gcd{pi, \G'\) = 1 

1 1 then 

12 search for an element ji £ T,- such that (r,)G' = {Yi,G'); 

13 if no such element exists 

14 thent/^t/ur,- 

15 elsel^ZUl)^}; 

16 endthen 

17 if [r,-, G'] 7^ e then { take an element y, € F,- such that \ Yi\ = max^gr, |7|; 

18 V^VUlYi};} 

19 enddo 

20 for all w in Z 

21 do 

22 if there exists an element z in £ such that [w, z] ^ e 

23 then { if zwz"' G (w) then U ^UU{w} else V ^VU {w}; } 

24 enddo 

25 forallwGr\([/UV) 

26 do 

27 if [w, u] = {e} for a\\u£U then [/ ^ [/ U {w} else V ^VU {w}; 

28 enddo 

29 b^ngev\g\;z^ngevg;v^z^''\/''- 

30 output ([/,v); 



Figure 1: Procedure DECOMPOSE. 

• At Step 1 a set of generators {g\,. ..,gt} of the derived subgroup G' with t = 0(log |G|) is 
computed in time polynomial in log |G| with success probability 1 — 1 /poly(|G|) using the 
classical algorithm by Babai et al. m. 

• The order of G' at Steps 9 and 10, and the orders of elements at Steps 2, 17 and 29 are 
computed using the quantum algorithms for Tasks (i) and (ii) in Theorem 12. II 
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• The least common multiple at Step 2 is computed using standard algorithms, and is factor- 
ized at Step 3 using Shor's factoring algorithm [31]. 

• At Step 12, notice that [F,, G'] = e implies that {rj)G' is an abelian group. For each element 
Yi in F,- (there are 0((log |G|)^) such elements), the quantum algorithms for Tasks (i) and (ii) 
in Theorem 12. H are used to check whether |(F,)G'| = |(]^-,G')|. Since necessarily {ji^G') < 
(F,)G', this test is sufficient to check whether (F,)G' = {Yi,G'). 

• The tests at Steps 9, 10 to 17 are done by noticing that [F, , G'] = {e} if and only if [Y,g'j] = e 
for each 7 G F,- and each 7 € {1, . . . ,f} . 

• Testing whether zwz^^ is in (w) at Step 23 is done by trying to decompose zwz^^ over 
(w) using the quantum algorithm for Task (iii) in Theorem 12.11 and then checking if the 
decomposition indeed represents zwz^^ (since, a priori, this algorithm can have an arbitrary 
behavior when zwz^' ^ {w)). 

This description, along with Theorem 12.11 and with the observation that the sets U, V and Z 
have size C?((log |G|)^), show that all the steps of Procedure DECOMPOSE can be implemented 
in time polynomial in log|G|. The following theorem states the time complexity of Procedure 
Decompose, and also its correctness. 

Theorem 3.1. Let Gbea group in the class 5^, given as a black-box group ( with unique encoding). 
The procedure DECOMPOSE on input G outputs, with high probability, a pair {U,v) such that 
{{U), (v)) is a standard decomposition ofG. It can be implemented in time polynomial in log |G| 
on a quantum computer 

Before giving a complete proof of Theorem 13.11 in Subsection 13. 2[ we first describe its out- 
line below, which we believe is also instructive in that it describes what procedure DECOMPOSE 
actually does. 

Suppose that (A, iy)) is a standard decomposition of G with \y\ = m. This decomposition is 
unknown, and the value of m too. Suppose that K = p\^ ■■■ p"/ where the p,'s are distinct prime 
numbers. The first thing that is done is to convert the set of generators of G into a set F = Uj^jF; 
of generators of prime powers (where each F,- consists of elements of order p'^ with < /c, < e,)- 

The idea of the procedure is then to construct two sets: a set IJ which will contain generators 
of A and a set V which will contain elements of prime power order of the form ay"" with t? € A 
and a ^ mod m. More precisely, most elements of F can be assigned to either IJ oxW using 
simple rules (from the properties of groups in the class =5^): If the order of an element ^ of F is 
not coprime with |G'|, then g should be put in U (Step 9); If at least two elements of F are in the 
same subset F, but do not define a cyclic subgroup (up to elements in the commutator subgroup), 
then they both should be put in IJ (Step 14); If an element g of F does not commute with all 
the elements of G', then g should be put in V (Step 18; for technical reasons, only one element 
satisfying this condition from each F, is put in W). 

It remains to deal with the set £ of elements satisfying neither of these three conditions. For 
elements w G £ not commuting with at least one element z in £, deciding whether w should be put 
in ?7 or in y can be done by checking whether zwz^' G (w) or not (Steps 22 and 23). The last part 
of the procedure (Steps 25 to 28) deals with the elements in £ commuting with all elements in £; 
these elements are put as far as possible in I] to make (?7) as large as possible. 

Finally, at Step 29, the product of all the elements in W is raised to some well chosen power in 
order to obtain an element v such that (v) n (U) = {e}. It can be shown that {{U), (v)) is then a 
standard decomposition of G. 
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3.2 Proof of Theorem 

We start with two lemmas. 

Lemma 3.1. Let G be a group in the class ,5^ and suppose that (A, (j)') € Let w = ay" be an 
element ofG with a (zA and a ^ mod m. If the order ofw is a prime power, then a G G'. 

Proof. If the order of w is a prime power, then it is necessarily a prime power p'' dividing m 
since a ^0 mod m. Now e = {ay"'Y' = xaP'y^P' = xaP' where x is some element in G'. Thus 
aP' G G' C A. Since p' is coprime with |A|, we conclude that a G G'. □ 

Lemma 3.2. Let G be a group in the class .5^ and suppose that (A, (j)) G Qs^q. Let T, be a set of 
elements ofG of prime power order such that each element ofL has order coprime with \G'\ and 
commutes with all the elements in G'. Let w and z be two elements ofL such that [w,z] 7^ e. Then 

(1) ifzwzr ' G (w) then w G A and z = ay" with a and a ^ mod m. 

(2) ifzwzr^ ^ (w) then z G A and w = ay" with a and a ^ mod m. 

Proof. Since [w, z] / e, at least one of w and z is of the form ay" with a G A and a ^ mod m. 
Lemma |3TT] shows that exactly one among w and z is of this form, while the other is in A (remember 
that the elements w and z commute with all the elements in G'). 

Let us first prove assertion (1). Suppose that z G A (and thus necessarily w = ay" with a G A 
and a ^ mod m). If zwz^^ G (w), then [z,w] = {zwz^^)w^^ is in (w) too. Since the order of 
w is necessarily coprime with (remember that \w\ is a prime power and thus divides m), we 
conclude that [z,w] = e. This gives a contradiction. Thus, if zwz^^ G (w), then w G A. 

We now prove assertion (2). Suppose that w £ A (and thus necessarily z = ay" with a G A and 
a ^ mod m). Then zwz^ ' is also in A. More precisely, zwz^ ' = [z, w]w. From the the observation 
that zwz^^ has the same order as w and the fact that gcJ(|w|, |G'|) = 1, we conclude that [z,w] = e 
and that zwz^' G (w). Thus, if zwz^^ (w), then z G A. □ 

We now proceed with the proof of Theorem 13.11 

Proof of Theorem \3.1\ The complexity of Procedure DECOMPOSE follows from the description of 
the procedure given in Subsection l3.ll It remains to prove its correctness. 

Let (A, {y)) be a standard decomposition of G with \y\=m. Notice that each call to the quantum 
algorithms solving the tasks mentioned in Theorem 12.11 realized in the Procedure DECOMPOSE 
has success probability at least 1 — 1 /poly(|G|). Then, with high probability, there is no failure at 
those steps. In the following we suppose that this is the case and show that, then, the procedure 
necessarily outputs a standard decomposition of G. 

First, notice that the sets F,- constructed in the loop of Steps 5 to 19 are such that G = (Uj'^jF,). 
Moreover, they satisfy the following property: If pi divides m, then (F,)G' = {y'"^'^-' ,G') from 
Lemma l3Tl If pj does not divides m, then (F,)G' =Ap.G', where Ap. denotes the Sylow pi- 
subgroup of A (since, in this case, the |G|/pJ'-th power of an element ay" of G is xa^^^^Pi' where 
X is an element of G')- 

At the end of the loop of Steps 5 to 19, the set ?7 U V U £ is a generating set of G (here the fact 
that G' C (?7) is important). More precisely, the set U contains only elements of A. The set V 
contains only elements of the form ay"''^/P>' for some / G {1, . . . ,r} such that pi divides m, where 
a £ G' (from Lemma [3T]) and a,- is an integer such that gcd{ai,pi) = 1. Moreover there is at most 
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one element of this form in V for each / e { 1 , . . . , r} such that pi divides m. The set Lisa set of 
elements satisfying the conditions of Lemma 13 .21 

In the loop of Steps 20 to 24, all the elements w G £ such that [w,L] ^ {e} are put in either IJ 
or W . From Lemma |3TT] and Lemma [X2l the elements put in I] are elements of A and the elements 
put in V are of the form w = ay^ for some a ^G' and some a ^ mod m. At the end of the loop, 
the elements of ^\{U U V) are commuting with all the elements of £. 

Finally, the loop of Steps 25 to 28 ensures that all the elements of 'L\{U U V) are put in either 
U orV in the following way. The new elements put in U are precisely those commuting with the 
original set U (since these new elements also commute together, the final subgroup {U) will then 
be abelian). The elements put in V are such that, at the end of the loop, V contains again only 
elements of the form aj"'"*/'^'' with a & G' and gcd{ai,pi) = 1 for some / € {1, . . . ,r} such that 
Pi divides m. Moreover there is at most one element of this form in V for each such / (from the 
construction of the set S). This latter observation implies that the element z constructed at Step 29 
is such that (z)G' = {V)G'. 

The final subgroup {U) is abelian and, since G' C {U), is normal in G. Since {z)G' = {V)G', we 
know that {z,U) = G (remember that G' C {U)). The element v constructed at Step 29 is of the 
form ay", with a € G' and a coprime with m, and then {v,U) = G, but v satisfies the additional 
relation = e. Since (U) is abelian and each element of U has order coprime with |v|, we conclude 
thatgc(i(|v|,|([/)|) = 1. Thus {v)n{U) = {e}. 

This shows that the output {U,v) of Procedure DECOMPOSE is such that that {{U),{v)) G 
where m' = \v\ <m (more precisely, |v| divides m by construction). Since m is the minimal integer 
such that 7^ (because (A, (y)) is a standard decomposition of G), we conclude that m = m' 
and that Procedure Decompose finds a standard decomposition of the group G. □ 

4 Set Discrete Logarithm 

4.1 Statement of the problem 

We first introduce the following useful notation. Let F be a finite field, and E = {xi , . . . be 
any subset of F with possible repetitions, i.e., all the x/s are elements of F, but may not be distinct. 
For any integer k, we denote by the subset of F with possible repetitions {xj , . . . ,xf }. 

In this section we consider the following problem. Here m is a positive integer which is a 
parameter of the problem (taking u >2 does not make the problem significantly harder, but this 
enables us to give a more convenient presentation of our results). 

Set Discrete Logarithm 

INPUT: two lists {Si,...,Sii) and (Ji , . . . , r„) where, for each integer h £ {I, . . . ,u}, Sh and T/, 

are subsets with possible repetitions of some finite field F/,. 
OUTPUT: a positive integer k such that T^^ = Sh ior all h £ { 1 , . . . , m}, if such an integer exists. 

Notice that the case u = I with l^il = |ri| = 1 is the usual discrete logarithm problem 
over the multiplicative group of the field Fi. Actually, our algorithm solving the problem 
Set Discrete Logarithm will only need the multiphcative structure of the fields, and then 
also works if we replace in the definition each field F/, by any multiplicative finite group G/j. 
However, since the main applications of our algorithm deal with field structures (as described in 
Section[5]and Section[6l), we describe our results in the present slightly less general form. 
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Given an instance of Set Discrete Logarithm, let ms denote the smallest positive integer 
such that x™^ = 1 for all x G Si U • • • U S'u, and let mr denote the smallest positive integer such that 
ytriT = 1 for all 3^ G Ti U ■ • • U r„. The main result of this section is the following theorem. 

Theorem 4,1. There exists a quantum algorithm that solves with high probability the prob- 
lem Set Discrete Logarithm, and runs in time polynomial in u, log{ms + mr), and 
msiXi<h<u{\Sh\ + 1 7), I + log |Fft|). 

4.2 Proof of Theorem gJ] 

We first describe how to compute intersections of cosets of abelian groups efficiently using a 
quantum computer. 

Proposition 4.1. Let T be an abelian group, given as a black-box, and Fi , r2 be two subgroups of 
r given by generating sets. Let x and y be two elements ofT. There exists a quantum algorithm that 
decides with high probability, in time polynomial in log |r|, whether xT\ \^yT2 is empty. Moreover, 
when the algorithm decides that xTi f^yT2 7^ 0, it also outputs an element 7 G F, and t = 0(log |F| ) 
elements y\.,...^yt such that xFi n3'F2 = 7(71 , . . . , 7) with high probability. 

Proof. A standard result of group theory states that the set xFi n yT2 is either empty, or is a coset 
of the subgroup Fi n F2 (note that this statement is true even if F is not abelian). Notice that 
xFi nyF2 7^ if and only if xy^^ G F1F2. This can be checked efficiently using the quantum 
algorithm by Ivanyos et al. [17] testing membership in abelian groups, but more work is needed to 
find an explicit element in xFi H JF2. 

Let {«!, . . . , as\ and {jSi, . . . , jSj} be bases of Fi and F2 respectively. Define the abelian group 
P\ = I X • • • X Z|„^| X Z|jg| I X • • • X Z|p^ I X Z|-^j,-i I and define the map f\ from Pi to F as follows: 
for any (a\,. . . ,a,,b\,. . . ,bt,c) in A, 

/i (ai , . . . , a,, ^1 , . . . , Z7„ c) = • • • <'i8f ' • • • A''x-y . 

Notice that the set 2 1 = {{a\, . . . .a^.by, . . . ,bt,c) GPi \x'^y^'^ = a\^ •••af'jSf' ••• jSf' } is a subgroup 
of Pi, and that the function f\ is constant on cosets of Q\ in Pi, with distinct values on distinct 
cosets. This is thus an instance of the abelian HSP, and a set of generators of Q\ can be found in 
time polynomial in log |Pi | = C?(log |F|). The set xFi n3'F2 is not empty if and only if Q\ contains 
some element of the form (a 1 , . . . , a, , 1 , . . . , Zj, , 1 ) , in which case the element 7 = xa^°^ ■ ■ ■ a^"' 
is in xFi n3'F2. 

We now show how to compute a generating set of the subgroup Fi nF2. This can be done 
using the quantum algorithm by Friedl et al. |[T4l computing the intersection of subgroups in 
"smoothly solvable" groups, but we present here a much simpler quantum algorithm for the abelian 
case, inspired by techniques developed in |26|. Let fj be the map from the abelian group P2 = 
X • • ■ X Z|„^| X X • • • X Z||3^| to i^ii^2 defined as follows: for any {ai,. . . ,as,b\,. . . ,bt) in 

P2, 

/2(fli, . ..,a„bi,---A) = ocV--- • • -ft''- 

Notice that the set ^2 = {(^i , • • • , ^.s , ^1 , • • • , bt) G P2 | a"' • • • <'j8f ' • • • j8,^' = 1 } is a subgroup of 
P2, and that the function /2 is constant on cosets of Q2 in P2, with distinct values on distinct 
cosets. This is thus an instance of the abelian HSP, and a set of generators {zi , . . . ,Zr} of Q2 with 
r = log |F| can be found in time polynomial in log IP2I = 0(log |F|) using the algorithm described 
in Subsection 12.21 . For each / G {1, . . . ,r} let us write Zi = (mji, • • • ,M,i,v,i, . . • ,v,y) and define 
7 = a"" • • • q"". Then it is easy to check that Fi n F2 = (71 , . . . , 7r). □ 
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We are now ready to give our proof of Theorem l4.1l 

Proof of Theorem WA\ For the sake of brevity, let us denote Z = U • • • U S'k U Ti U • • • U r„. We 
first compute the orders of all the elements in £ using Shor's algorithm lOTII . The value nij is the 
least common multiple of the orders of all the elements in U • • • U ^u, and the value mj is the 
least common multiple of the orders of all the elements in Ti U • • ■ U r„. The values ms and mj 
can then be computed in time polynomial in log(m5 + m7-), |r|, and maxi</,<„log |F/j|. Notice 
that, for any positive integer k, the least common multiple of the orders of all the elements in 
r/^ U • ■ • U Tjf is rriT /gcd{k,mT). Then, if ms does not divide mj, then there is no solution to the 
problem Set Discrete Logarithm. If ms divides mj but ms / mj, then a solution (if it exists) 
can be found by replacing the list (Ti , . . . , r„) by the list (7™'^/™^ . _ , ^ T™^^'"^). Thus, without loss 
of generality, we suppose hereafter that ms = mj and denote by m this value. Then a solution k 
can be searched for in the set Z^. 

Let {mi,...,mf} = U^ei;{|z|} denote the set of orders of the elements in £. For each h G 
{ 1 , . . . , m} and each / € { 1 ,...,£}, we define the subsets 

Sh,i = {xe Sh I lx[ = m,-} and T^j = {yeTh \ \y\ = m,-}. 

Let us also define the sets 

K,u = {ke K I Tli = Sh,i} and Z,,,- = € [ T,';, = T,,}. 

It is straightforward to check that the set Khj is a subgroup of Z*,, and that the set K^ j is either 
empty, or is a coset of K^j in Z*,. 

Let K C Z*, denote the set of solutions of the instance of Set Discrete Logarithm we are 
considering. Then 

^= n ( n ^/v). 

l<h<u \<i<l 

The set K can be computed efficiently by applying successively the quantum algorithm of Propo- 
sition |4?T] if, for each /i G {1, . . . ,m} and each / G {1, . . . ,^}, the set ^T/, is known (more precisely, 
if a generating set of A'/, and an element of Khj are known). 

The final part of the proof shows how to compute these sets /T/, Let us fix an integer h G 
{ 1 , . . . , m} and an integer / G { 1 , . . . , ^} . We suppose that 5/, ,• and T/, ,■ have the same size (otherwise 
Kh,i = and thus K = 0). Denote Sh^ = {^i, • • • ,Xv} and T/, = {ji, . . . ,yv}, where v = |S/,,;| 
depends on h and /. We present a quantum procedure computing a set of generators of Kh i, and an 
element k^ i in K^^t when this set is not empty, in time polynomial in v, log/n, and log |F/,|. 

We first show how to compute the subgroup A'/, Let -< be an arbitrary strict total ordering of 
the elements of F/,. Without loss of generality we can suppose that x\ < X2 ^ ■ ■ ■ ^ Xy. Let /i be 
the function from x { 1 , . . . , v} to F^ defined as follows: for any k G Z*, and any 7 G { 1 , . . . , v}, 
IJ-{k,j) is the j-th element (with respect to the order -<) of the set T/^i. Let / be the function from 
Z; to (FhY such that, for any A: G Z^: 

f{k) = {n{k,l)y-\...,n{k,v)y;'). 

Notice that the set {k G Z*, | f{k) = (1, . . . , 1)} is precisely the subgroup Kf,j of Z*,. Moreover, 
the function / is constant on cosets of K^ j in Z*,, with distinct values on distinct cosets (since 
f{ki) = /(/C2) implies that tJ^] = T^-^ and thus ^1 G k2Khj). This is thus an instance of the abeUan 
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HSP, and a set of generators of K^ i can be found in time polynomial in v, logm and log |F/,| using 
the algorithm described in Subsection 12.21 (notice that the underlying group is Z^, and that the 
value of the function / can be computed in time v, logm and log |F/;|). 

We now show how to compute an element k^ j in K^ j if this set is not empty. We first try to find 
an element a G Z*, such that T^" = 5/,.,-. This is done by, for each j G {1, . . . , v}, trying to find 

an integer aj G Z*, such that x^' = yj, if such an integer exists (notice that, for each j, there is at 
most one element aj in Z*, satisfying this condition, which can be computed in time polynomial 
in logm/ and log|F/,| using the quantum algorithm for the standard discrete logarithm problem 
lOTll ) and checking whether T^"/ = 5/, If no such value a can be found, we conclude that A!/, is 
empty. Otherwise we take any such value a and compute k^ j as follows. Let us write the prime 
power decomposition of m as m = pf ■ ■ ■ pf'p'^' ■ ■ ■ p'7'<?f' ' ' 'if ' where each prime pi divides m, 
for / G { 1 , . . . , r}, each prime p'j divides a but not m,- for Z G { 1 , . . . , 5}, and each prime qi divides 
neither m,- nor a for / G { 1 , . . . , f }. Then the integer 

5 St 

kh,i = CC + niiq^' • ■ • mod m 

is coprime with m (since a is coprime with m, and then each prime pi, p\ or q; does not divide 
A;;, ,), and hence is in Z,* . From the choice of a and since any element in T/, has order m,, we 
conclude that k^j is in the set A'/, □ 

5 Discrete Logarithm up to Conjugacy 

5.1 Statement of the problem 

Given a positive integer r and a finite field F, remember that GL(r, F) denotes the multiplicative 
group of invertible matrices of size r x r with entries in F. In this section we consider the following 
problem. Here u is again a positive integer which is a parameter of the problem. 

Discrete Log up to Conjugacy 

input: two hsts of matrices (m|'\ . . . ,m|"^) and (Mj^-*, . . . ,M^2^) where, for each integer 

/j G {1, . . . mI''"* and M^2^ are in GL{rh,¥h) for some positive integer rp, and some 
finite field F/,. 

output: a positive integer k and u matrices M*^''' G GL{rh,¥h) such that 

j^ih) . j^W ^ i^M^jk . ^(/,) fQj. g^^j^ /jG{l,...,M},if such elements exist. 

In the statement of the above problem, the notation [M2^'^]^ simply means M2^'^ raised to the ^-th 
power. Notice that the case u = I and ri = 1 is basically the usual discrete logarithm problem over 
the multiplicative group of the finite field Fi. 

Let mi and 1112 denote the smallest positive integers such that [Mj''^]™' = / and [Mj''']'"^ = / for 
all /i G { 1 , . . . , m}. The main result of this section is the following theorem. 

Theorem 5.1. There exists a quantum algorithm that solves with high probability the prob- 
lem Discrete Log up to Conjugacy, and runs in time polynomial in u, log(mi +m2), and 
maxi</,<„(r,, + log|F/,|) 
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5.2 Proof of Theorem 

The quantum algorithm solving the problem DISCRETE LOG UP TO CONJUGACY follows from 
a reduction to the problem Set DISCRETE LOGARITHM. The key idea is to represent each matrix 
by its set of elementary divisors. We will first introduce some definitions and prove two lemmas 
before moving to the proof of Theorem l5.1l In this subsection we use the notations introduced in 
Subsection l2.3l 

Let M be a matrix in GL{r,¥), where r is a positive integer and F is a finite field. The minimal 
polynomial as{x) of M has not in general all its roots in F, and, in order to define the elementary 
divisors of M, we need then to work on a field extension of F containing all the roots of a.s(jc). 
Denote F = GF{q) where q is some prime power. It is well known that the roots of any irreducible 
factor of degree J of a polynomial in F[x] are elements of the field extension GF{q'^) of F (see 
Il24ll for example). Then the field extension GF{q'^ ) splits the polynomial a.v(x), where d' denotes 
the least common multiple of the degrees of the irreducible factors of as{x) over F. However, the 
value d' can be in general superpolynomial in r, and thus we need to be more careful to obtain an 
algorithm with running time polynomial in r and log |F|. This is why we introduce the following 
definition (we also take in consideration the degrees of the associated elementary divisors for 
technical reasons). 

Definition 5.1. Let M be a matrix in GL{r,¥) where r is a positive integer and F = GF{q) is 
a finite field of prime power order q, and let d and I be two positive integers. Suppose that 
{{x — Ai)^, . . . , (a; — Aj)^} is the subset of all elementary divisors of degree £ of M such that each 
Xi is an element in GF{q'') but is not in any proper subfield of GF{q'^). Then we define T.d/{M) as 
the subset ofGF{q'^) with possible repetitions {Ai, . . . ,A*}. 

Example. Define the two polynomials /i = {x^ +x+\) and /2 = {x^ + x+ \ Y{x^ + x+\) over 
GF{2), and the matrix M = diag{Ci,Ci,C2) where Ci (resp. C2) denotes the companion matrix 
of fi (resp. fj). Notice that x^ +x+l and x^ +x+ 1 are irreducible over GF{2). The matrix M 
has size 11 x 11, consists of 3 diagonal blocks of size 2x2,2x2 and 7x7 respectively, and is 
actually already in rational normal form. In particular, its invariant factors are (/i,/i,/2)- Then 
the minimal polynomial of M is /2, which is split by GF{2^). It can be checked that there exist 
two elements a2 G GF{2^) and as G GF{2^) of multiplicative order respectively 3 and 7 such that 
the polynomial (x^ + x+ 1) factorizes into {x — a2){x — a^) over GF{2^) and the polynomial {x^ + 
x+ 1) factorizes into {x — aj,){x — a^){x — a^) over GF{2^). Then the set of elementary divisors 
of M is {{x - tti), - «2), (-x - «|), (-^ - «2)i (-^ ~ ^2)^, {x - a|)^, (x - as), (x - af ), (x - a^)} 
and the only sets L^eXM) that are not empty are £2,1 = {0:2, 0:2, o;|, a|}, £2,2 = {ot2,ot|} and 
£3,1 = {a3,af,a|}. □ 

We will need the following result on Jordan matrices. 

Lemma 5.1. Let X be a nonzero element in a finite field IK and c be a positive integer Let k 
be a positive integer coprime with the multiplicative order ofJ{X,c). Then the set of elementary 
divisors of the matrix [7(A,c)]*^ is {(x — A^)'^}. 

Proof. Let us write M = J{X,c) and denote by p the characteristic of K. The result is trivial if 
c = 1 so we suppose that c>2. 

Our proof is based on the simple fact that the k-th power of M is an upper triangular matrix 
with A*^ along the main diagonal, kX'^^^ along the first superdiagonal, and possibly other nonzero 
entries in the other superdiagonals if c > 2 (the values of these entries are easy to calculate, but 
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not relevant to this proof). Let m denote the multiplicative order of M. Then, since M'" = / and 
A 7^ 0, we have mX'"^^ = 0. Then p divides m. 

Let ^ be a positive integer coprime with m. Then k is necessary coprime with p from the above 
observation. Notice that a matrix in GL(c, K) has {{x — X'^Y} as set of elementary divisors if and 
only if {x — X^Y is its minimal polynomial. Since the characteristic polynomial of is {x — X^Y' 
the minimal polynomial of M'^ divides {x — X'^Y- We now show that (M^ - X'^IY'-^ 7^ 0. From the 
description of M'' given above, it is easy to show that (M*^ — X'^IY^^ is the matrix where the only 
nonzero entry is located at the first row and the c-th column. The value of this entry is {kX^^'^Y^^ ■ 
Since k is coprime with p and A / 0, we conclude that (M^^ - X^lY^^ / 0. □ 

Since two matrices are similar if and only if they have the same elementary divisors. Lemma 
15.11 shows that a Jordan matrix raised to a power coprime with its order is similar to itself. We 
now prove the following lemma (remember that, if £ = , . . . , a;,} is a subset of F with possible 
repetitions, we denote by l}- the subset of F with possible repetitions {x\, . . . ,x^}). 

Lemma 5.2. Let M[ and M2 be two matrices in GL{r,¥), where r denotes a positive integer and 
F denotes a finite field. Let m be an integer such that M'" = = /, and k be an integer in Z^. 
Then Mi and M2 are similar in GL{r, F) if and only if, for all positive integers d and £, the equality 
[I^dAM2)f = ^d,t{Mi) holds. 

Proof. Let IK be a field extension of F splitting the minimal polynomial of M2. Denote by {x — 
pi\Y\ - ■ ■ ,{x — HsY' the elementary divisors of M2 (where the /i,'s are elements of IK that may not 
be distinct). If k is coprime with m, then Lemma 15.11 implies (using the concept of the Jordan 
normal form) that the elementary divisors of M| are (x — H^Y' 1 • • • > (-^ ~ Ms )''• Since two matrices 
are similar in GL(r,F) if and only if they have the same elementary divisors, the claim follows 
from the fact that, if IK/ is the smallest subfield of IK containing /x,-, then IK,- is also the smallest 
subfield of IK containing /if (since k is coprime with the order of /i,). □ 

We now present the proof of Theorem 15. II 

Proof of Theorem \5A\ Remember that m\ and m2 denote the minimal positive integers such that 
[Mf = / and [M^ = / for all € {1, . . . , m}. Notice that, if mi does not divide m2, then 
there is no solution to the problem DISCRETE LOG UP TO CONJUGACY. If m\ divides m2 but 
"Ji 7^ ^2, then a solution (if it exists) can be found by replacing each matrix by [Mj'^']'"^/™!. 
Thus, without loss of generality, we suppose hereafter that m\ = m2 and denote by m this value. 
Then a solution k can be searched for in the set Z*„. 

Let us fix an integer h G {1, . . . ,m} and suppose that F/, = GF{qh), where is a some prime 
power. We first compute the invariant factors over F/, of M^' and m''^^ . This can be done in C?(r/,^) 
field operations, using for example the algorithm by Storjohann ||32| . We then factor over F/, these 
invariant factors using the Cantor-Zassenhaus algorithm |[8l, running in time polynomial in r/, and 
log |F/,|. Let us denote by the set of degrees of the irreducible factors (over F/,) appearing in at 

ih] (h) 

least one of these invariant factors. Notice that obviously \D\ < Ir^ since each M\ and M2 has 
at most r/, invariant factors. For each d € Df, and each integer £ € { 1 , . . . , r/,}, we compute the sets 
Ld^i{My^^) and 'Lii^(,{M2^) defined in Definition 15. II as follows: the irreducible factors of degree d 
of the invariant factors of Mf^ and M^f^ are factorized over GF{q'^) using the Cantor-Zassenhaus 
algorithm |[8l, and the elementary factors of degree I are then collected. 
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Lemma 15.21 implies that there exists a solution to the problem 
Discrete Log up to Conjugacy if and only if there exists some integer k £ Z*^ such 
that [£j.^(M2''')]*^ = Ld^i{My^^) for all integers /j € {1, . . . all integers d £ Df, and all integers 
£ £ {l,...,r/,}. Such an integer k (if it exists) can then be found with high probability using the 
quantum algorithm of Theorem 14. II in time polynomial in u, logm, and maxi</,<„(r/, + log |F/, [). 

Finally, if such a solution k exists, then, for each h£ {I,. . ., h}, a matrix M^'') G GL{rh,¥f,) such 
that M^^^M^l'^ = [M^^'^M^^^^ can then be computed for this value of k in time polynomial in r/, and 
log |F/,| using efficient classical algorithms, for example the algorithm by Storjohann 1,32.1 . □ 

6 Proof of Theorem O 

We first state some technical results by Le Gall ||23]| we use to prove Theorem 11.21 We will 
first need the following result from 11231 that shows necessary and sufficient conditions for the 
isomorphism of two groups in the class 5^. 

Proposition 6.1 (Proposition 5.1 in |23|). Let G and H be two groups in . Let (Ai, (ji)) and 
(^2) (3'2)) standard decompositions of G and H respectively and let (p\ G Aut{Ai) (resp. (p2 G 
Aut{A2)) be the action by conjugation ofy\ on A\ (resp. ofy^ on A2). The groups G and H are 
isomorphic if and only if the following three conditions hold: (i) A\ = A2; and ( ii) \yi \ = \y2\; and 
(Hi) there exists a positive integer k and an isomorphism % : A\ — t- A2 such that (p\ = X^^^2^> 
where (p| means (p2 composed by itself k times. 

From now, we identify, for any prime p, the finite field of size p with Zp. The following 
proposition summarizes key elements used in the classical algorithm by Le Gall 1,23] that we will 
need. 

Proposition 6.2 ([23]). Let Ai and A2 be two isomorphic abelian groups. Let (gi,...,^^.) and 
{h\,...,hs) be bases of Ai and A2 respectively. Suppose that A[ = (Z )'' x ••• x (Z^/, )'"', 

f f' 

where each ri is a positive integer, and each pi is a prime but pf 7^ pj^ for i ^ j. Denote 
V = GL[r\^'Lp^) X • • • X GL{rt,'Lp,). Then there exists two homomorphisms <I>i : Aut{A\) V 
and <I>2 : Aut{A2) V such that, for any two automorphisms ^1 € Aut{A\) and <^2 G Aut{A2) of 
order coprime with \A\ \, the following two assertions are equivalent: 

( i) there exists an isomorphism % : A\ — t- A2 such that C,\ = X^^^lX! 

(ii) there exists an element X € V such that <I>i((^i) = (^2)^- 

Moreover, if, for each j € {1, ... ,5}, integers Ujj andvij such that (gj) =g"'' • • -g"'^ and ^2(^7) = 
/zj'^ • • -h]'^ are known, then the following holds: 

(a) the images 1 ( i^i ) and ^2(^2) can be computed ( classically ) in time polynomial in log | A 1 1 ; 

(b) given an explicit element X £ V such that <t>i(^^i) = X^^'t>i{^2)X, an isomorphism X -Ai ^ 
A2 such that C,\ = X"^ ^iX can be computed (classically) in time polynomial in log \A\ \. 

We now present our proof of Theorem ll.2l 

Proof of Theorem \L2\ Suppose that G and H are two groups in the class =5^. In order to test 
whether these two groups are isomorphic, we first run Procedure DECOMPOSE on G and H and 



17 



obtain outputs {Ui,y\) and {U2,y2) such that {{Ui), {y\)) and {{U2), {yi)) are standard decompo- 
sitions of G and H respectively with high probability (from Theorem 13 .11 1. The running time of 
this step is polynomial in the logarithms of |G| and \H\, from Theorem l3.ll Denote Ai = {U\) and 
^2 = (^^^2)- The orders of A\,A2, y\ and j2 are then computed using the quantum algorithms for 
Tasks (i) and (ii) in Theorem|2j] Notice that |G| = |Ai | • \yi \ and \H\ = IA2I • bil- If |G| / \H\, we 
conclude that G and H are not isomorphic. In the following, we suppose that |G| = \H\ and denote 
by n this order. 

If bi| 7^ \y2\ we conclude that G and H are not isomorphic, from Proposition 16.11 Otherwise 
denote [3^1 1 = jjal = ni. Then we compute a basis (gi , . . . ,gs) of Ai and a basis {hi,... j/jy) of A2 
using the quantum algorithm for Task (ii) in Theorem 12.11 Given these bases it is easy to check 
the isomorphism of Ai and A2: the groups A 1 and A2 are isomorphic if and only if s = s' and there 
exists a permutation a of {1, ... ,s} such that \gi\ = |/ify(i) | for each / G {1, . . . If Ai ^ A2 we 
conclude that G and H are not isomorphic, from Proposition l6.1l 

f f 

Now suppose that Ai = A2 = (Z /, )'"' x • • • x (Z /, )'"', where each p,- is a prime, but py / p/ 

for / 7^ j. We want to decide whether the action by conjugation (p\ G Aut{A\) of y^ on A\ and the 
action by conjugation (p2 G Aut{A2) of y2 on A2 satisfy Condition (iii) in Proposition 16. II Notice 
that, for each j G {1, ... ,5}, we can compute (in time polynomial in logn) integers Uij and v,y 
such that (pi{gj) = 3'ig;3'r^ = 8\' ' ' 'Ss' and (p2{hj) = y2hjy2^ = ■ ■■hl"^ using the quantum 
algorithm for Task (iii) in Theorem 12. II From Proposition l6.2l the images <I>i (<pi) and ^2(92) can 
then be computed in time polynomial in log«. Notice that [<I>i((pi)]"' = [^2{(P2)]'" = I- 

Since the maps <I>2 is a homomorphism. Proposition 16.21 implies that there exists a posi- 
tive integer k and an isomorphism X '■ ■^i ^ ^2 such that cpi = X^^92^ if and only if <I>i((pi) 
and [^2{(p2)]'^ are conjugate in the group V = GL(ri,Zp,) x ••• x GL{rt,Zp^). If we denote 
*J*i(<Pi) = and ^2(92) = {M2\ ■ . ■ ,M2^), where each m|^^ and eachM2'^'' are ma- 

trices in GL{rg,Zpg), then checking if the later condition holds becomes an instance of the problem 
Discrete Log up to Conjugacy, and can be decided using the algorithm of Theorem |57T] in 
time polynomial in t, logm, and maxi<f<,(rf + log p(), i.e., in time polynomial in logn. 

If the above instance of DISCRETE LOG UP TO CONJUGACY has no solution, we conclude that 
G and H are not isomorphic. Otherwise we take one value k such that each <I>i {(p\) and [<I>2(<P2)]^ 
are conjugate, along with an element Z G V such that X<I>i((pi) = [<I>2(<P2)]*^^ (such an element 
is obtained from the output of the algorithm of Theorem 15.11 ). and compute an isomorphism x 
from Ai to A2 such that (pi = X W2X using the last part of Proposition 16.21 The map ji -.G —> H 
defined as pi {xy{ ) = x {^)y2 ^'ly x£Ai and any j G {0, . . . , m — 1 } is then an isomorphism from 
G to H (a detailed proof of this statement can be found in the proof of Proposition 16.11 included 
in lEl). □ 
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